- devenv.nix with Rust toolchain, protobuf, SpiceDB, cargo-nextest
- build.rs with tonic-build for authzed/api v1.45.4 protos
- Proto stubs for external imports (buf/validate, google/api, etc.)
- Approved requirements spec (v4) at specs/requirements/001-rust-spicedb-client.md

...onflicts)

Copilot AI left a comment

Domain types (FR-8, FR-9, FR-10):
- ObjectReference, SubjectReference with validation
- Relationship, RelationshipUpdate, Caveat, ContextValue
- ZedToken with Debug redaction and optional serde
- PermissionResult (Allowed/Denied/Conditional) with is_allowed()
- RelationshipFilter, SubjectFilter, Precondition
- PermissionTree with recursive node structure
- Consistency enum (4 modes)
- LookupResourceResult, LookupSubjectResult, ReadRelationshipResult
- WatchEvent (behind watch feature)
Error handling (FR-7):
- Error enum: Transport, Status, InvalidArgument, Serialization, ConditionalPermission
- is_retryable() for UNAVAILABLE and DEADLINE_EXCEEDED
- from_status() for gRPC error mapping
Client (FR-1):
- Client::new(), Client::builder(), Client::from_channel()
- Bearer token interceptor on all requests
- Clone + Send + Sync (compile-time verified)
- Insecure connection validation (FR-1.3)
- Connect timeout and default timeout support
PermissionsService (FR-2):
- check_permission with consistency and context builders
- write_relationships with preconditions
- delete_relationships with preconditions
- lookup_resources (streaming)
- lookup_subjects (streaming)
- read_relationships (streaming)
- expand_permission_tree
SchemaService (FR-3):
- read_schema -> (String, ZedToken)
- write_schema with empty string validation
WatchService (FR-4, behind watch feature):
- watch with object type filters and after_token resume
All streaming methods return impl Stream<Item = Result<T, Error>>.
37 tests passing (28 unit + 9 doc), zero clippy warnings.

ExperimentalService (FR-5, behind 'experimental' feature):
- bulk_check_permissions: batch check in single round-trip
- bulk_import_relationships: client-streaming import
- bulk_export_relationships: server-streaming export
README with quick start, streaming, feature flags, error handling, and dev setup.
All 37 tests pass, zero clippy warnings.

CI pipeline (6 jobs):
- check: cargo check with default and all features
- fmt: cargo fmt --check
- clippy: cargo clippy -D warnings (default + all features)
- test: cargo test (default + all features)
- doc: cargo doc --all-features with -Dwarnings
- msrv: verify builds on Rust 1.75 (async fn in traits)
- integration: runs against SpiceDB in Docker
Integration tests (all #[ignore], run with --ignored):
- write_and_read_schema
- write_schema_empty_rejected
- write_and_check_permission (Allowed + Denied)
- read_relationships (streaming, count verification)
- lookup_resources (streaming, multi-resource)
- lookup_subjects (streaming, multi-subject)
- delete_relationships (write, verify, delete, verify)
- watch_receives_updates (behind watch feature)
- bulk_check_permissions (behind experimental feature)

Integration tests now run as part of every cargo test invocation.
CI test job starts SpiceDB in Docker before running tests.
Separate integration job removed — single test job covers everything.
Locally: start SpiceDB via 'spicedb-up' (devenv script) before running tests.

Copilot AI left a comment

Review comment fixes:
1. Fix 'Idiomacy' → 'Idiomaticity' typo in spec (NFR-1)
2. Add empty vec validation in write_relationships before network call (FR-10.1)
3. Fix loopback check bypass — parse URI properly instead of substring
 matching, preventing hosts like 'localhost.evil.com' from being
 treated as loopback
4. Add .consistency() to DeleteRelationshipsRequest — removed after
 checking proto (DeleteRelationships doesn't accept consistency);
 updated spec to match proto
5. Batch bulk import with chunks of 128 instead of 1-per-message,
 using async_stream for proper streaming batches
6. Remove .tls(bool) from spec — TLS is by URI scheme only;
 advanced TLS via Client::from_channel()
7. Validate SubjectReference::new rejects Some("") — use None instead
8. Validate exclusion tree node requires exactly 2 children (not >= 2)
9. Add integration test for write_relationships(vec![]) rejection
10. Add unit test for SubjectReference empty relation rejection
38 tests passing (29 unit + 9 doc), zero clippy warnings.

- Run cargo fmt to fix all formatting differences
- Bump MSRV from 1.75 to 1.80 (Cargo.lock v4 not supported by 1.75)
- Add rust-version = '1.80' to Cargo.toml
- MSRV job generates fresh lockfile compatible with older Cargo
- Split test job: unit tests (--lib), doc tests (--doc), integration
 tests (--test integration) run separately so unit tests don't need
 SpiceDB and integration tests always have it available

Replace manual Docker setup with testcontainers-rs:
- Define SpiceDbImage implementing testcontainers::Image
- Each test spins up its own isolated SpiceDB container
- Container is automatically cleaned up when test completes
- No external Docker setup needed in CI — just a Docker socket
- Remove Docker run/wait/logs steps from CI workflow
- Add testcontainers 0.27 as dev-dependency
Benefits:
- Full test isolation (each test gets its own SpiceDB)
- No port conflicts between parallel tests
- No manual container lifecycle management
- Same behavior locally and in CI

- SpiceDB serve defaults to no TLS without cert paths; --grpc-no-tls
 is not a valid flag in latest SpiceDB
- Drop MSRV CI job: transitive deps (getrandom 0.4) require edition
 2024 / Rust 1.85+, making lower MSRV enforcement impractical

Instead of each test spawning its own container (10 containers in
parallel on CI), use a shared container via tokio::sync::OnceCell.
Schema is written once during init. Each test uses unique resource IDs
to avoid interference.
Also add 5-minute timeout to integration test step to prevent hangs.

The testcontainers log-based wait detects the 'grpc server started
serving' message, but the gRPC endpoint may not be fully ready yet.
Add a retry loop (up to 30 attempts, 200ms apart) that connects and
does a read_schema() health probe before proceeding.

...tests
SpiceDB returns NotFound ('No schema has been defined') when it's
serving but has no schema written yet. The readiness check was treating
this as a failure, causing all integration tests to fail after retries.
Now the readiness probe accepts both Ok and NotFound as indicators
that SpiceDB is up and serving gRPC requests.

...rors
Each #[tokio::test] creates its own tokio runtime. The tonic Channel
created during container initialization is bound to the initializing
runtime's executor. When other tests (on different runtimes) tried to
use the shared Channel, they got 'transport error' / 'Service was not
ready' failures.
Fix: share only the testcontainer (via OnceCell), and create a new
Client on the caller's runtime for each test invocation.